Thursday, August 14, 2014

H323 traffic failing to traverse a Fortigate firewall

Had a scenario recently where a Polycom video conferencing device just wouldn’t work when sat behind a Fortigate firewall. This was despite all the necessary TCP ports being forwarded to the device, as verified by Polycom support.

What we were seeing is that one could dial the VC but it would just ring and never make the connection. Time to debug the traffic on the Fortigate – this is what I saw:

The “run helper” sequence kicked in as soon as one attempted to pick up the call on the VC. In Polycom’s case they suggest explicitly disabling any h323 helpers, so that is exactly what I did. I did it like so:

From the cli, execute “config system session-helper”. This will give you the following output (below is redacted)edit 2 set name h323 set port 1720 set protocol 6 edit 13 set name sip set port 5060 set protocol 17

Now delete these helpers by executingconfig system session-helperdelete 2delete 13end

Enter the following commands:config system settingsset sip-helper disableset sip-nat-trace disable

About Me

About This Blog

This blog serves 2 purposes. Firstly, I want to share information with other IT pros about the technologies we work with and how to solve problems we often face. I work with technologies from the desktop to the data center, Active Directory, System Center, Exchange, Hyper-V, VMware, Networking and Storage.

Less altruistically, I use my blog as a reference. There's so much to learn and remember in our field that it's impossible to keep up. By blogging, I have a notebook that I can access from anywhere. It has made me look much smarter than I probably am on many occasions.